If they steal your unencrypted laptop and you are logged in to your GMail in the browser, they can even access that and reset your password on any account you have.
Rightly, this is not part of the threat model for Trello.
I believe you're mistaken. They would need your password to boot up the computer or unlock your screen. I think the cookies on Chrome are encrypted using the same mechanism as node-keytar. I didn't say anything about stealing a laptop while it's logged in. I just mean physically stealing the laptop.
You could argue that the number of people who protect their computer by password but don't encrypt their disks is too small or isn't worth worrying about. But I know that there is a significant portion of users that has it set up this way.
If your disk is unencrypted, all I need to do is mount your disk on my computer and point my Chrome user disk to /mnt/stolen_drive/home/users/James/chrome_data and I have all your cookies.
I'm not sure about Linux, but on Windows this is trivial. If you are concerned about this attack vector, then encrypt this drive. If you are hit by an RCE, then your Trello keys are the least of your problems.
On Windows, DPAPI may protect you against unprivileged code execution, but it will not protect you against a privileged RCE or someone physically mounting your unencrypted hard drive.
I'm not sure what the state of the art in Linux or OS X's keychain is, but I wouldn't be surprised if they don't try to protect against that threat vector as well.
You could argue that the number of people who protect their computer by password but don't encrypt their disks is too small or isn't worth worrying about. But I know that there is a significant portion of users that has it set up this way.